このページは、まだ日本語ではご利用いただけません。翻訳中です。
古いプラグインバージョンのドキュメントを閲覧しています。
構成
このプラグインはDBレスモードに対応しています。
互換性のあるプロトコル
ACMEプラグインは以下のプロトコルに対応しています:
grpc
, grpcs
, http
, https
パラメータ
このプラグインの設定で使用できるすべてのパラメータのリストは次のとおりです。
-
name or plugin
string requiredプラグイン名。この場合は
acme
。- Kong Admin API、Kong Konnect API、宣言型構成、または decK ファイルを使用する場合、フィールドは
name
です。 - Kubernetes で KongPlugin オブジェクトを使用する場合、フィールドは
plugin
です。
- Kong Admin API、Kong Konnect API、宣言型構成、または decK ファイルを使用する場合、フィールドは
-
instance_name
stringプラグインのインスタンスを識別するための任意のカスタム名 (例:
acme_my-service
。インスタンス名はKong ManagerとKonnectに表示されるので、 例えば複数のサービスで同じプラグインを複数のコンテキストで実行する場合に便利です。また、Kong Admin API経由で特定のプラグインインスタンスに アクセスするためにも使用できます。
インスタンス名は、次のコンテキスト内で一意である必要があります。
- Kong Gateway Enterpriseのワークスペース内
- Konnectのコントロールプレーン(CP)またはコントロールプレーン(CP)グループ内
- Kong Gateway (OSS)の全世界
-
enabled
boolean default:true
このプラグインが適用されるかどうか。
-
config
record required-
account_email
string required referenceable encrypted matches:%w*%p*@+%w*%.?%w*
The account identifier. Can be reused in a different plugin instance.
-
account_key
recordThe private key associated with the account.
-
key_id
string requiredThe Key ID.
-
key_set
stringThe ID of the key set to associate the Key ID with.
-
-
api_uri
string default:https://acme-v02.api.letsencrypt.org/directory
A string representing a URL, such as https://example.com/path/to/resource?q=search.
-
tos_accepted
boolean default:false
If you are using Let’s Encrypt, you must set this to
true
to agree the terms of service.
-
eab_kid
string referenceable encryptedExternal account binding (EAB) key id. You usually don’t need to set this unless it is explicitly required by the CA.
-
eab_hmac_key
string referenceable encryptedExternal account binding (EAB) base64-encoded URL string of the HMAC key. You usually don’t need to set this unless it is explicitly required by the CA.
-
cert_type
string default:rsa
Must be one of:rsa
,ecc
The certificate type to create. The possible values are
'rsa'
for RSA certificate or'ecc'
for EC certificate.
-
rsa_key_size
number default:4096
Must be one of:2048
,3072
,4096
RSA private key size for the certificate. The possible values are 2048, 3072, or 4096.
-
renew_threshold_days
number default:14
Days remaining to renew the certificate before it expires.
-
domains
array of typestring
An array of strings representing hosts. A valid host is a string containing one or more labels separated by periods, with at most one wildcard label (‘*’)
-
allow_any_domain
boolean default:false
If set to
true
, the plugin allows all domains and ignores any values in thedomains
list.
-
fail_backoff_minutes
number default:5
Minutes to wait for each domain that fails to create a certificate. This applies to both a new certificate and a renewal certificate.
-
storage
string default:shm
Must be one of:kong
,shm
,redis
,consul
,vault
The backend storage type to use. The possible values are
'kong'
,'shm'
,'redis'
,'consul'
, or'vault'
. In DB-less mode,'kong'
storage is unavailable. Note that'shm'
storage does not persist during Kong restarts and does not work for Kong running on different machines, so consider using one of'kong'
,'redis'
,'consul'
, or'vault'
in production. Please refer to the Hybrid Mode sections below as well.
-
storage_config
record required-
shm
record required-
shm_name
string default:kong
Name of shared memory zone used for Kong API gateway storage
-
-
kong
record required
-
redis
record required-
host
stringA string representing a host name, such as example.com.
-
port
integer between:0
65535
An integer representing a port number between 0 and 65535, inclusive.
-
database
numberThe index of the Redis database to use.
-
auth
string referenceableThe Redis password to use for authentication.
-
ssl
boolean required default:false
Whether to use SSL/TLS encryption when connecting to the Redis server.
-
ssl_verify
boolean required default:false
Whether to verify the SSL/TLS certificate presented by the Redis server. This should be a boolean value.
-
ssl_server_name
stringThe expected server name for the SSL/TLS certificate presented by the Redis server.
-
namespace
string required len_min:0
A namespace to prepend to all keys stored in Redis.
-
scan_count
number default:10
The number of keys to return in Redis SCAN calls.
-
-
consul
record required-
https
boolean default:false
Boolean representation of https.
-
host
stringA string representing a host name, such as example.com.
-
port
integer between:0
65535
An integer representing a port number between 0 and 65535, inclusive.
-
kv_path
stringKV prefix path.
-
timeout
numberTimeout in milliseconds.
-
token
string referenceableConsul ACL token.
-
-
vault
record required-
https
boolean default:false
Boolean representation of https.
-
host
stringA string representing a host name, such as example.com.
-
port
integer between:0
65535
An integer representing a port number between 0 and 65535, inclusive.
-
kv_path
stringKV prefix path.
-
timeout
numberTimeout in milliseconds.
-
token
string referenceableConsul ACL token.
-
tls_verify
boolean default:true
Turn on TLS verification.
-
tls_server_name
stringSNI used in request, default to host if omitted.
-
auth_method
string default:token
Must be one of:token
,kubernetes
Auth Method, default to token, can be ‘token’ or ‘kubernetes’.
-
auth_path
stringVault’s authentication path to use.
-
auth_role
stringThe role to try and assign.
-
jwt_path
stringThe path to the JWT.
-
-
-
preferred_chain
stringA string value that specifies the preferred certificate chain to use when generating certificates.
-
enable_ipv4_common_name
boolean default:true
A boolean value that controls whether to include the IPv4 address in the common name field of generated certificates.
-